Skip to content

EDM-2847: Implement checkOrigin for device terminal #451

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
celdrake merged 1 commit into from
Jan 9, 2026
Merged

EDM-2847: Implement checkOrigin for device terminal #451

celdrake merged 1 commit into from
Jan 9, 2026

Conversation

@celdrake
Copy link
Collaborator

@celdrake celdrake commented Dec 30, 2025
edited by coderabbitai bot
Loading

Adds proper checks to allowed origins for terminal functionality.

Summary by CodeRabbit

  • Bug Fixes
    • Strengthened WebSocket security for terminal access: Origin headers are now validated and unauthorized cross-origin connection attempts are rejected. This lowers the risk of illegitimate terminal connections but may prevent upgrades from pages whose origin does not match the configured UI origin until settings or origins are aligned.

✏️ Tip: You can customize this high-level summary in your review settings.

@coderabbitai
Copy link

coderabbitai bot commented Dec 30, 2025
edited
Loading

Walkthrough

Adds an unexported checkOrigin(r *http.Request) bool in terminal.go and uses it for websocket.Upgrader.CheckOrigin, allowing empty Origin, origins matching BaseUiUrl (scheme+host, case-insensitive host), or same-origin requests; other Origins are rejected and logged.

Changes

Cohort / File(s) Summary
WebSocket Origin Validation
proxy/bridge/terminal.go		 Added checkOrigin(r *http.Request) bool and replaced the upgrader's permissive CheckOrigin with origin-aware validation: allow when Origin header is absent, allow when Origin matches configured BaseUiUrl (scheme + host, case-insensitive host), allow same-origin (Origin host == request Host); reject and log other Origins.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and specifically describes the main change: implementing a checkOrigin function for device terminal WebSocket origin validation.
Docstring Coverage ✅ Passed Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing touches
  • 📝 Generate docstrings
📜 Recent review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6d92bc3 and 6e69f75.

📒 Files selected for processing (1)
  • proxy/bridge/terminal.go
🚧 Files skipped from review as they are similar to previous changes (1)
  • proxy/bridge/terminal.go
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)
  • GitHub Check: integration-tests
  • GitHub Check: Build
  • GitHub Check: Build ocp plugin
  • GitHub Check: Lint

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai bot reviewed Dec 30, 2025
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
proxy/bridge/terminal.go (1)

103-131: Add logging for rejected origin attempts.

Origin validation failures are rejected silently, which makes debugging connection issues and security monitoring difficult. Consider logging rejected origins with the reason for rejection.

🔎 Proposed enhancement to add rejection logging 
 func checkOrigin(r *http.Request) bool {
 	origin := r.Header.Get("Origin")
 
 	// If no Origin header is present, allow the request (same-origin from browsers)
 	if origin == "" {
 		return true
 	}
 
 	originURL, err := url.Parse(origin)
 	if err != nil {
+		log.Warnf("Origin validation failed: invalid origin URL '%s': %v", origin, err)
 		return false
 	}
 
 	// Allow if origin matches the configured BaseUiUrl
 	baseURL, err := url.Parse(config.BaseUiUrl)
 	if err != nil {
 		log.Warnf("Failed to parse BaseUiUrl for origin check: %v", err)
 	} else {
 		if originURL.Scheme == baseURL.Scheme && originURL.Host == baseURL.Host {
 			return true
 		}
 	}
 
 	// Allow same-origin requests (Origin matches request Host)
 	// This handles cases where the proxy is accessed directly
 	if originURL.Host == r.Host {
 		return true
 	}
 
+	log.Warnf("Origin validation failed: origin '%s' not allowed (BaseUiUrl: %s, Host: %s)", origin, config.BaseUiUrl, r.Host)
 	return false
 }
📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 08029e1 and 6e22e90.

📒 Files selected for processing (1)
  • proxy/bridge/terminal.go
🧰 Additional context used
🧬 Code graph analysis (1)
proxy/bridge/terminal.go (1)
proxy/config/config.go (1)
  • BaseUiUrl (16-16)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)
  • GitHub Check: integration-tests
  • GitHub Check: Build ocp plugin
  • GitHub Check: Build
  • GitHub Check: Lint
🔇 Additional comments (2)
proxy/bridge/terminal.go (2)

107-109: Verify the security implications of allowing requests without Origin headers.

Allowing requests with no Origin header is standard for same-origin browser requests. However, this could potentially allow non-browser clients (e.g., scripts, curl) that don't send Origin headers to bypass origin validation. Please confirm this aligns with your security requirements.

If stricter validation is needed, consider requiring Origin headers and only allowing specific exceptions (e.g., authenticated service accounts). Would you like guidance on implementing stricter validation?

192-195: LGTM! Origin validation properly integrated.

The checkOrigin function is correctly wired into the WebSocket upgrader, replacing the previous permissive behavior. This significantly improves security by preventing unauthorized cross-origin WebSocket connections.

@celdrake celdrake force-pushed the EDM-2847-implement-origin-check branch from 6e22e90 to 6d92bc3 Compare December 30, 2025 11:51
coderabbitai[bot]
coderabbitai bot reviewed Dec 30, 2025
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🧹 Nitpick comments (1)
proxy/bridge/terminal.go (1)

98-135: Well-implemented origin validation with past feedback incorporated.

The implementation follows WebSocket security best practices:

  • Uses explicit allow-list approach with exact matching
  • Case-insensitive host comparison per RFC 3986
  • Safe logging with %q to prevent log injection
  • Logs BaseUiUrl parsing failures for debugging

One consideration for the same-origin check at line 128: it validates only the host, not the scheme. An http:// origin could pass if the host matches an https:// server. For stricter validation, you could compare the origin scheme against the expected protocol (e.g., derived from BaseUiUrl or X-Forwarded-Proto). However, this is typically mitigated by HSTS and authentication requirements, so the current implementation is reasonable for most deployments.

🔎 Optional: Add scheme validation to same-origin check 
 	// Allow same-origin requests
-	if strings.EqualFold(originURL.Host, r.Host) {
+	// Compare scheme against BaseUiUrl's scheme (or default to https for production)
+	expectedScheme := "https"
+	if baseURL != nil {
+		expectedScheme = baseURL.Scheme
+	}
+	if originURL.Scheme == expectedScheme && strings.EqualFold(originURL.Host, r.Host) {
 		return true
 	}
📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6e22e90 and 6d92bc3.

📒 Files selected for processing (1)
  • proxy/bridge/terminal.go
🧰 Additional context used
🧬 Code graph analysis (1)
proxy/bridge/terminal.go (1)
proxy/config/config.go (1)
  • BaseUiUrl (16-16)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)
  • GitHub Check: integration-tests
  • GitHub Check: Build
  • GitHub Check: Build ocp plugin
  • GitHub Check: Lint
🔇 Additional comments (1)
proxy/bridge/terminal.go (1)

196-199: LGTM!

Correctly wires the new checkOrigin function into the WebSocket upgrader, replacing the previous permissive configuration with proper origin validation.

@celdrake celdrake force-pushed the EDM-2847-implement-origin-check branch from 6d92bc3 to 6e69f75 Compare January 9, 2026 11:59
@celdrake celdrake merged commit 64eaef1 into flightctl:main Jan 9, 2026
6 checks passed
@celdrake celdrake deleted the EDM-2847-implement-origin-check branch January 9, 2026 13:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@rawagner rawagner rawagner approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@celdrake @rawagner